Difference between revisions of "Amstrad Cartridge Identification Device"

From CPCWiki - THE Amstrad CPC encyclopedia!
Jump to: navigation, search
m (Spelling)
(Added picture of the decapped ACID chip)
 
(48 intermediate revisions by 6 users not shown)
Line 1: Line 1:
 
[[Image:Inside GX4000 cart 1.jpg|frame|right|ACID protection chip within a cartridge (bottom)]]
 
[[Image:Inside GX4000 cart 1.jpg|frame|right|ACID protection chip within a cartridge (bottom)]]
  
The '''ACID''' ('''A'''mstrad '''C'''artridge '''I'''dentification '''D'''evice) protection chip is used in the [[GX4000 cartridge|cartridges]] of the [[Plus]] series and the [[GX4000]] game console. Because this chip was a custom creation by Amstrad it is currently not possible to replace this chip nor to build new cartridges, because it is not known how it works. It is labelled with "Amstrad 40908".
+
The '''ACID''' (Amstrad Cartridge Identification Device) protection chip is used in the [[GX4000 cartridge|cartridges]] of the [[Plus]] series and the [[GX4000]] game console. After Nocash decrypted the internal algorithms it is possible to replace the protection chip with a complex programmable logic device (CPLD).
  
 +
 +
== Technical ==
 +
 +
The 16pin ACID chip (in the cartridge) is sending a serial data stream to the 160pin ASIC chip (in the computer). The data stream is generated by some shift/xor logic, and is also affected by the EPROM address/enable signals. If the data stream isn't correct, then the ASIC does scatter access to RAM, making the cartridge unusable.
 +
 +
;ACID reverse-engineered 13-16 February 2010 by nocash (Martin Korth)
 +
;below is repeated on every CLK cycle...
 +
CmpVal=13596h, XorVal=0c820h
 +
if PinA0=1 then CmpVal=CmpVal XOR 0000ch, XorVal=XorVal XOR 00004h
 +
if PinA1=1 then CmpVal=CmpVal XOR 06000h, XorVal=XorVal XOR 06000h
 +
if PinA2=1 then CmpVal=CmpVal XOR 000c0h, XorVal=XorVal XOR 00080h
 +
if PinA3=1 then CmpVal=CmpVal XOR 00030h, XorVal=XorVal XOR 00020h
 +
if PinA4=1 then CmpVal=CmpVal XOR 18000h, XorVal=XorVal XOR 08000h
 +
if PinA5=1 then CmpVal=CmpVal XOR 00003h, XorVal=XorVal XOR 00000h
 +
if PinA6=1 then CmpVal=CmpVal XOR 00600h, XorVal=XorVal XOR 00000h
 +
if PinA7=1 then CmpVal=CmpVal XOR 01800h, XorVal=XorVal XOR 00800h
 +
if PinCE=0 AND (ShiftReg OR 100h)=CmpVal then ShiftReg=ShiftReg XOR XorVal
 +
NewBit=ShiftRegBit0 XOR ShiftRegBit9 XOR ShiftRegBit12 XOR ShiftRegBit16
 +
ShiftReg=(ShiftReg SHR 1) + (NewBit SHL 16)
 +
Wait for falling edge on PinCLK
 +
if PinCCLR=0 then ShiftReg=1FFFFh      ;\done at falling CLK edge
 +
PinSIN=ShiftRegBit0                    ;/
 +
;Mind that above is a software example - a hardware solution obviously
 +
;wouldn't require CmpVal and XorVal registers - instead, hardware would
 +
;directly deal with the PinAx (or NOT PinAx) signals.
 +
 +
Replacing or overwriting the EPROM in existing cartridges is easy, so the ACID doesn't prevent piracy or homebrew programming. However, it prevents commercial developers from producing unlicensed cartridges.
 +
 +
== Timings ==
 +
 +
Although the functionatlity of the ACID chip is known. The timings of the signals coming from the computer is still unknown (reverse-engineering was done on a ACID chip, without owning a CPC+/GX4000).
 +
* CLK is known to be 4MHz, and SIN is known to be updated on falling edge of CLK, as seen on [[Media:ACID-SIN.jpg|this picture]].
 +
* Judging from the ACID chip, /CCLR is checked on falling edge of CLK. However, juding from [[Media:ACID-CCLR.png| this picture]], /CCLR is ''changing'' on falling edge of CLK. If this is true (the picture resolution isn't perfect), then it's unclear how the ACID can interprete /CCLR in a stable way while it's changing. Possibly, it can't do that at all (ie. it might act unstable, and the CPC+ might need to retry sending /CCLR several times).
 +
** '''WANTED:''' A picture showing CLK and /CCLR without ACID connected (at better resolution) would help!
 +
** A picture showing CLK and /CCLR with ACID connected is [[Media:ACID Init by Grim.png|found here]].
 +
* The /CE timing is still unknown, too. The ACID might check A0-A7 on raising or falling edge of /CE. Or, on raising or falling edge of CLK while /CE being LOW. Or at whatever other time.
 +
** '''WANTED:''' A picture showing CLK and /CE would help!
 +
** '''WANTED:''' Best also showing one or more of the A0-A7 signals.
 +
 +
<gallery>
 +
Image:ACID Init by Grim.png|/RESET, CLK, CCLR, SIN (init sequence)
 +
Image:ACID-SIN.jpg|CLK and SIN
 +
Image:ACID-CCLR.png|CLK and CCLR (and some offtopic signals) (from CPC, without ACID connected)
 +
</gallery>
  
 
== Pinout ==
 
== Pinout ==
Line 8: Line 52:
 
<pre>
 
<pre>
 
           +--()--+
 
           +--()--+
       GND | 1 16| +5V
+
       GND |1   16| +5V     AMSTRAD 40908
       A7  | 2 15| A6
+
       A7  |2   15| A6       1L03P1003
       CLK4| 3 14| A5
+
       CLK4|3   14| A5       JAPAN
       NC  | 4 13| A4
+
       NC  |4   13| A4
       CCLR| 5 12| A3
+
       CCLR|5   12| A3
       SIN | 6 11| A2
+
       SIN |6   11| A2
       |CE | 7 10| A1
+
       /CE |7   10| A1
       GND | 8   9| A0
+
       GND |8   9| A0
 
           +------+
 
           +------+
 
</pre>
 
</pre>
Line 24: Line 68:
 
|1||GND||-||Ground
 
|1||GND||-||Ground
 
|-
 
|-
|2||A7||Input||Address A7
+
|2||A7||Input||EPROM Address A7
 
|-
 
|-
 
|3||CLK4||Input||Clock (4 MHz)
 
|3||CLK4||Input||Clock (4 MHz)
Line 30: Line 74:
 
|4||NC||-||Not connected
 
|4||NC||-||Not connected
 
|-
 
|-
|5||CCLR||?||?
+
|5||CCLR||Input||Reset ACID
 
|-
 
|-
|6||SIN||?||?
+
|6||SIN||Output||Serial Data
 
|-
 
|-
|7||/CE||Input||Chip enable
+
|7||/CE||Input||EPROM Chip enable
 
|-
 
|-
 
|8||GND||-||Ground
 
|8||GND||-||Ground
 
|-
 
|-
|9||A0||Input||Address A0
+
|9||A0||Input||EPROM Address A0
 
|-
 
|-
|10||A1||Input||Address A1
+
|10||A1||Input||EPROM Address A1
 
|-
 
|-
|11||A2||Input||Address A2
+
|11||A2||Input||EPROM Address A2
 
|-
 
|-
|12||A3||Input||Address A3
+
|12||A3||Input||EPROM Address A3
 
|-
 
|-
|13||A4||Input||Address A4
+
|13||A4||Input||EPROM Address A4
 
|-
 
|-
|14||A5||Input||Address A5
+
|14||A5||Input||EPROM Address A5
 
|-
 
|-
|15||A6||Input||Address A6
+
|15||A6||Input||EPROM Address A6
 
|-
 
|-
 
|16||+5V||-||Vcc
 
|16||+5V||-||Vcc
 
|}
 
|}
  
Investigation (Spanish language):
+
Note: The two GND pins are interconnected with each other (inside of the chip). The NC pin seems to be always high.
http://amstradcpc.mforos.com/305097/7723493-que-hace-exactamente-el-chip-acid-de-los-cartuchos/
+
 
 +
== Clones ==
 +
 
 +
* An ACID replacement using a Xilinx XC9536 CPLD and some [[Verilog implementation of the ACID chip|Verilog code]] based on nocash's reverse engineering work has been built by [[Octoate]] and [[Nilquader]].
 +
* Miguel Angel (aka mcleod_ideafix) has published all the info about his implementation of the ACID in a CPLD, verilog sources included [http://www.zxprojects.com/index.php/analisis-del-chip-acid/62-analisis-del-chip-acid-del-amstrad-cpcgx4000]
 +
* It's possible to use the CPC+ without ACID by exploiting a timing bug in the CPC+/GX4000-ASIC Chip. (Developed by [[Nilquader]])
 +
<gallery caption="Running CPC+ without ACID">
 +
Image:NoAcid.jpg|GX4000 running without ACID
 +
Image:NoAcid_sch.png|Schematics
 +
</gallery>
 +
 
 +
== Pictures ==
 +
* ACID chip decapped. Many thanks to Sean Riddle!
 +
<gallery>
 +
Image:40908_Metal_Small.jpg
 +
</gallery>
 +
 
 +
== Misc ==
 +
 
 +
* [[Test Circuit used for ACID reverse engineering]]
 +
 
 +
==Investigations==
 +
 
 +
*http://amstradcpc.mforos.com/305097/7723493-que-hace-exactamente-el-chip-acid-de-los-cartuchos/ (Spanish language)
 +
 
 +
*[http://www.vieuzordiland.fr/index.php?option=com_content&task=view&id=23&Itemid=34 Vieuxzordiland's page on the matter. In French]
 +
 
 +
*[http://cpcwiki.eu/forum/index.php/topic,410.0.html| The CPCwiki's forum thread featuring the Epic fight between the infamous ACID and NoCa$h.]
 +
 
 +
 
 +
 
 +
 
  
[[Category:Hardware]][[Category:Cartridges]][[Category:CPC Plus]]
+
[[Category:Hardware]][[Category:Cartridges| ]][[Category:CPC Plus]][[Category:CPC Internal Components]][[Category:Amstrad Products]][[Category:Electronic Component]]

Latest revision as of 18:49, 18 November 2017

ACID protection chip within a cartridge (bottom)

The ACID (Amstrad Cartridge Identification Device) protection chip is used in the cartridges of the Plus series and the GX4000 game console. After Nocash decrypted the internal algorithms it is possible to replace the protection chip with a complex programmable logic device (CPLD).


Technical

The 16pin ACID chip (in the cartridge) is sending a serial data stream to the 160pin ASIC chip (in the computer). The data stream is generated by some shift/xor logic, and is also affected by the EPROM address/enable signals. If the data stream isn't correct, then the ASIC does scatter access to RAM, making the cartridge unusable.

;ACID reverse-engineered 13-16 February 2010 by nocash (Martin Korth)
;below is repeated on every CLK cycle...
CmpVal=13596h, XorVal=0c820h
if PinA0=1 then CmpVal=CmpVal XOR 0000ch, XorVal=XorVal XOR 00004h
if PinA1=1 then CmpVal=CmpVal XOR 06000h, XorVal=XorVal XOR 06000h
if PinA2=1 then CmpVal=CmpVal XOR 000c0h, XorVal=XorVal XOR 00080h
if PinA3=1 then CmpVal=CmpVal XOR 00030h, XorVal=XorVal XOR 00020h
if PinA4=1 then CmpVal=CmpVal XOR 18000h, XorVal=XorVal XOR 08000h
if PinA5=1 then CmpVal=CmpVal XOR 00003h, XorVal=XorVal XOR 00000h
if PinA6=1 then CmpVal=CmpVal XOR 00600h, XorVal=XorVal XOR 00000h
if PinA7=1 then CmpVal=CmpVal XOR 01800h, XorVal=XorVal XOR 00800h
if PinCE=0 AND (ShiftReg OR 100h)=CmpVal then ShiftReg=ShiftReg XOR XorVal
NewBit=ShiftRegBit0 XOR ShiftRegBit9 XOR ShiftRegBit12 XOR ShiftRegBit16
ShiftReg=(ShiftReg SHR 1) + (NewBit SHL 16)
Wait for falling edge on PinCLK
if PinCCLR=0 then ShiftReg=1FFFFh      ;\done at falling CLK edge
PinSIN=ShiftRegBit0                    ;/
;Mind that above is a software example - a hardware solution obviously
;wouldn't require CmpVal and XorVal registers - instead, hardware would
;directly deal with the PinAx (or NOT PinAx) signals.

Replacing or overwriting the EPROM in existing cartridges is easy, so the ACID doesn't prevent piracy or homebrew programming. However, it prevents commercial developers from producing unlicensed cartridges.

Timings

Although the functionatlity of the ACID chip is known. The timings of the signals coming from the computer is still unknown (reverse-engineering was done on a ACID chip, without owning a CPC+/GX4000).

  • CLK is known to be 4MHz, and SIN is known to be updated on falling edge of CLK, as seen on this picture.
  • Judging from the ACID chip, /CCLR is checked on falling edge of CLK. However, juding from this picture, /CCLR is changing on falling edge of CLK. If this is true (the picture resolution isn't perfect), then it's unclear how the ACID can interprete /CCLR in a stable way while it's changing. Possibly, it can't do that at all (ie. it might act unstable, and the CPC+ might need to retry sending /CCLR several times).
    • WANTED: A picture showing CLK and /CCLR without ACID connected (at better resolution) would help!
    • A picture showing CLK and /CCLR with ACID connected is found here.
  • The /CE timing is still unknown, too. The ACID might check A0-A7 on raising or falling edge of /CE. Or, on raising or falling edge of CLK while /CE being LOW. Or at whatever other time.
    • WANTED: A picture showing CLK and /CE would help!
    • WANTED: Best also showing one or more of the A0-A7 signals.

Pinout

           +--()--+
       GND |1   16| +5V      AMSTRAD 40908
       A7  |2   15| A6       1L03P1003
       CLK4|3   14| A5       JAPAN
       NC  |4   13| A4
       CCLR|5   12| A3
       SIN |6   11| A2
       /CE |7   10| A1
       GND |8    9| A0
           +------+
Pin number Name Direction Description
1 GND - Ground
2 A7 Input EPROM Address A7
3 CLK4 Input Clock (4 MHz)
4 NC - Not connected
5 CCLR Input Reset ACID
6 SIN Output Serial Data
7 /CE Input EPROM Chip enable
8 GND - Ground
9 A0 Input EPROM Address A0
10 A1 Input EPROM Address A1
11 A2 Input EPROM Address A2
12 A3 Input EPROM Address A3
13 A4 Input EPROM Address A4
14 A5 Input EPROM Address A5
15 A6 Input EPROM Address A6
16 +5V - Vcc

Note: The two GND pins are interconnected with each other (inside of the chip). The NC pin seems to be always high.

Clones

  • An ACID replacement using a Xilinx XC9536 CPLD and some Verilog code based on nocash's reverse engineering work has been built by Octoate and Nilquader.
  • Miguel Angel (aka mcleod_ideafix) has published all the info about his implementation of the ACID in a CPLD, verilog sources included [1]
  • It's possible to use the CPC+ without ACID by exploiting a timing bug in the CPC+/GX4000-ASIC Chip. (Developed by Nilquader)

Pictures

  • ACID chip decapped. Many thanks to Sean Riddle!

Misc

Investigations